The National Security Agency has said that it will end its access to most bulk data collected under a controversial surveillance program in November, but keep records for litigation purposes.

The office of the Director of National Intelligence said in a statement that the bulk telephony data -- the subject of leaks by former intelligence contractor Edward Snowden which shocked many in the US and abroad -- would be destroyed "as soon as possible" to comply with a law passed by Congress in early June.

The statement said that during the 180-day transition period required under the USA Freedom Act, "analytic access to that historical metadata... will cease on November 29, 2015."

But it added that "for data integrity purposes," NSA will allow technical personnel to continue to have access to the metadata for an additional three months.

The NSA must preserve bulk telephony metadata collection "until civil litigation about the program is resolved, or the relevant courts relieve NSA of such duties."

The data kept for litigation "will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata on expiration of its litigation preservation duties."

Some of the features introduced in HTML5 can be used to hide web-based exploits and help them evade security.

Researchers from the University of Salerno and the Sapienza University of Rome in Italy have used three different techniques to obfuscate exploits like the ones usually used in drive-by download attacks.

Functionality provided by HTML5 can be efficient for malware obfuscation, the Italians have proved.

Modern security software can detect a big chunk of threats, but if they use some HTML5 features to hide the exploits served in drive-by download attacks, they could evade static and dynamic detection systems.

HTML5 has a series of scripting application programming interfaces (APIs) that can be used with JavaScript.

Experts say some of these APIs can be used to deliver and assemble the exploit in the web browser without being detected.

One method dubbed "delegated preparation" involves delegating the preparation of the malware to system APIs.

Another called "distributed preparation," shares the code over concurrent and independent processes running within the browser.

A third involves triggering the code preparation based on the user's actions on the malicious webpage or website.VirusTotal detection rates for these sorts of obscured attacks remains low.

The paper published by researchers, with the catchy title of "Using HTML5 to Prevent Detection of Drive-by-Download Web Malware," contains recommendations about some of the steps that can be taken to counter these obfuscation techniques.

The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.

Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.

The bug in the latest version of Apple's OS X allows attackers root user privileges with a micro code which could be packed into a message.

Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.

The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job's ghost.

This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.

"This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation," Esser said.

The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.

An Apple spokesman said that engineers are aware of Esser's post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.

AtHoc makes secure, networked crisis communication software. Its platform enables people, devices and organisations to exchange critical information in real time during business continuity and life safety operations.

It looks like Blackberry will integrate AtHoc's software into its enterprise portfolio and trusted global network.

The acquisition will enable AtHoc to expand globally and increase scale, as well as deliver new applications on a secure platform for mass communication.

New applications may include integrating AtHoc solutions with BBM Meetings during an alert to enable live video feeds or transmit messages to provide real-time collaboration by leaders and decision makers.

AtHoc's networked crisis communications platform alerts any device – including iOS, Android, PC and Mac desktops, digital displays, radios, IP phones, and endpoints such as sirens, fire panels and speakers – helping organisations and people to connect and share information in times of crisis.

It's key customer is the US Departments of Defense (DoD) and Homeland Security but it also sells to enterprises across the world, including healthcare providers and industrial facilities.

John Chen, BlackBerry Executive Chairman and CEO said that BlackBerry was making strategic investments in security, privacy and the Internet of Things.

The transaction is expected to be completed in BlackBerry's 2016 fiscal third quarter and is subject to customary closing conditions.

The amount of spam clogging up the internet is officially the lowest it has been for ten years.

According to spam counters at Symantec only 50 per cent of email was spam. In June, Symantec saw 704 billion email messages sent. Of those, 353 billion were classified as spam. At one of the peaks of the spam epidemic in June 2009, 5.7 trillion of the 6.3 trillion messages sent were spam.

Apparently the spam levels have been falling since 2010. This is partly because network providers are more tuned into the problem and take action faster when there are issues on their services.

It is also not possible to send billions of messages per day from massive botnets as coppers have aggressively gone after some of the largest botnets over the last few years and worked to technically shut them down.

Botnet operators have been able in some instances to regain control but the increased attention makes it harder for them to get away with it.

Improved filtering and blocking also means that fewer unsolicited marketing messages reach inboxes where people might click on a message to buy a product.

It has never been really clear who replies to spam and as a sales method it is pretty rubbish. Most of the stuff we get is from Chinese companies and Nigerian spammers or other scammers.

Symantec claims that phishing and email-based malware fell in June, which is evidence that "attackers are simply moving to other areas of the threat landscape."

Research from Accenture has discovered that people have really had enough of passwords.

The research, based on a survey of 24,000 consumers across six continents could signalling a potential change in a widespread practice because most consumers consider usernames and passwords cumbersome and are interested in using alternatives to them to protect their security on the Internet.

More than 60 percent of consumers find usernames and passwords cumbersome, and more than three-fourths (77 percent) are interested in using alternatives to protect their security on the Internet.

Robin Murdoch, managing director of Accenture’s Internet and Social business segment said that the widespread practice of typing usernames and passwords to log on to the Internet might soon become obsolete.

“Consumers are increasingly frustrated with these traditional methods because they are becoming less reliable for protecting their personal data such as email addresses, mobile phone numbers and purchasing history.”

The research reveals that openness to alternatives is pervasive in countries in many different parts of the world, with consumers in China and India most likely to be open to alternatives, at 92 percent and 84 percent, respectively. More than three-quarters (78 percent) of consumers in each of Brazil, Mexico and Sweden, and 74 percent in the United States, are also willing to consider security methods other than usernames and passwords.

“As hackers use more-sophisticated and less-obvious methods, passwords are no longer seen as the definitive answers to the security question,” Murdoch said. “Traditional one-step passwords are now being matched with alternative methods using biometric technologies such as fingerprint recognition and two-step device verification. Within the next few years we are likely to see many more consumers embracing these and other alternative methods.”

The survey also found that less than half (46 percent) of consumers globally are confident in the security of their personal data. Consumers in emerging countries were slightly more confident in the security of their personal data than were those in emerging countries, at 50 percent and 42 percent, respectively.

“Digital trust concerns are not limited to one type of country or part of the world,” Murdoch said. “In developed and emerging countries, consumer wariness about data privacy and digital trust is intensifying as the exploding Internet of Things market generates unprecedented amounts of consumer data on more devices. Companies that build the most trust with consumers will be able to access more consumer data, use analytics to unlock more value from that data, and offer more revenue-generating services and applications leveraging Internet of Things opportunities.”

The Core Infrastructure Initiative (CII) has been talking about its efforts to figure out what Linux projects need support now, instead of waiting for them to break.

Dubbed the Census Project the initiative has been finding an embarrassing number of flaws in common core Linux system utilities that have network access. Some of them have nowhere near enough development relative to their importance.

A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.

High scores in the survey, said the CII in its page on the project, don't mean a given program should be ditched, or that it's to be presumed vulnerable. Rather, it means "the project may not be getting the attention that it deserves and that it merits further investigation."

For example Apache's https Web server, a large and "vitally important" project with many vulnerabilities tracked over the years, ranked as an 8 in part because "there's already large development & review team in place."

Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.

However complications posed by dependencies between projects can create a security mess. The libaprutil1-ldap project has a score of 8 with a note that "the general Apache Portable Runtime (APR) appears to be actively maintained. However, it's not as clear that the LDAP library in it is as actively managed."

Likewise, anything that uses the Kerberos authentication system can be problematic.All this is a move away from sponsoring known-broken projects or those visibly in jeopardy such as OpenSSL, the Network Time Protocol, and GnuPG.

Apple's faith based security system could end up smashing every iPhone and IPad in the world and thus saving the world.

Don't get us wrong, we thing that is a good thing and if it was not for a court order and better police surveillance methods we probably would be out there with hammers raising the world's standards by smashing every iPhone and iPad we see (we would smash watches but we have never seen anyone with one of those).

But now it seems that Apple's poor attitude to security might be doing that for us. Apple's security, which is normally the first to fall in any hacking contests, is based on a belief that it is really secure and hacking only happens to Google or Microsoft machines.

There is no evidence of this, but it is probably a belief listed in Apple's Terms and Conditions.

Now security experts from FireEye security firm claim that the combination of three malwares can allow the hackers to forcibly demolish, break and hijack the iPhones and iPads. Effectively sending them to silicon heaven.

According to FireEye, they mentioned the doomsday scenario to Apple and it is apparently waiting for orders signed in triplicate, sent in, sent back, queried, lost, found, subjected to public enquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters.

The first malware is dubbed as the 'Manifest Masque.' It directly causes problems to people who use third party applications stores. The second malware is dubbed as the 'Extension Masque.' This malware infiltrates the device's capability to protect the applications from malware. In other words, your device is not able to protect its applications from malwares.

Both of these malwares complement each other in breaching the devices security. This can result in a serious threat to the user's personal information such as GPS location, contacts, call logs, etc.

FireEye's CTO EMEA, Greg Day says that this threat can potentially kill, replace or tamper with apps.

The third malware is dubbed as the 'Plugin Masque.' This malware can cripple your device's ability to create a Virtual Private Network (VPN), which can result in all sorts of hacks, including the hacks from government agencies.

According to FireEye, any users who have not updated their iOS versions above 8.1.3 can be a potential victim to this major flaw.

Apple has not made any announcements and the security team is believed to be sitting in the lotus position chanting "Steve Jobs protects us from all malware, only Android has malware for our software is perfect."

For each piece of Apple gear out there which is destroyed, the evolution of technology and humanity is raised by just a fraction... just throwing out seeds on a poor news day.

Security Outfit Sophos has told the world it is worth a billion pounds as it head to what will be the largest flotations by a technology company in the UK.

The company, which majority-owned by private equity group Apax Partners, said the shares will be priced at 225p which will raise $125m. This is more than it had planned when the company announced its intention to float on the London Stock Exchange earlier this month.

Sophos is a good bet to do well. People are extremely interested in security after high-profile hacking of key companies. But Sophos has developed a niche by targeting products at small and medium-sized companies, which typically cannot employ huge IT teams on-site and require simpler and cheaper options than those adopted by large corporate entities.

But there are some nay-sayers saying nay.

Analysts at Megabuyte, the research group, said in a note that it was "a little perplexed" with the "toppy" valuation for Sophos, saying such a high level was sustainable only if the company could continue to accelerate its revenue growth.

It is the third time that Sophos has attempted an IPO. It was forced to pull plans to list in 2007 at the last minute when the financial crisis hit.It considered a float again two years later but but co-founders Jan Hruska and Peter Lammer opted instead to sell a majority stake to Apax in 2010 through a deal that valued the company at about $830m.

Sophos said the proceeds of the IPO will help reduce its net debt, which stood at $318m at the end of April, as well give it "greater financial flexibility to drive the future growth of the business".

Sophos has gone a little dark lately after losing its media friendly spokesman Graham Cluely. In the Good old days Sophos was mentioned everywhere thanks mostly to Cluely being widely quoted everytime there was a security story.

Google's latest beta feature on Chrome has come up with a method of killing off battery draining flash heavy sites.

On the latest beta Chrome is a new toggle that lets users select which Flash content will be automatically played and which content will not.

Google has been working closely with Adobe to create this feature and make sure that only content that "isn't central to the webpage" gets blocked. If anything gets accidentally filtered then you can simply click on it to resume.

This feature might also improve battery life on mobile devices like laptops. It is still useful but it probably have been more useful a few years ago or if you visit porn sites – or so we are told.It will be coming to stable desktop builds in the next few months.Version 23 also gives users an option to send a "do-not-track" request to websites and online services, although Google warned that this feature's effectiveness depends on how the sites and services field these requests.Chrome 23 also consolidates in an icon next to the URL a website's permission settings for things like geolocation identification, pop up messages and camera-microphone access.You can click on the page/lock icon next to a website's address in the omnibox to see a list of permissions and tweak them as you wish.Security fixes include one flaw which is mostly an Apple iOS one. This defends against wild writes in compromised graphics drivers.Google fixed 13 other security vulnerabilities, including five rated High and seven rated Medium.